How to use Shopify store auth with Claude or Codex to speed up Shopify development

If you’ve ever wanted to fire ad-hoc GraphQL queries against a Shopify store from your terminal without spinning up a full app or wrestling with Postman, good news — the Shopify CLI added two commands in 3.93.0 (released April 2026) that make this genuinely pleasant: store auth and store execute.

This post walks through the workflow, the common gotchas (don’t worry — they’re all fixable in seconds), and gives you a copy-paste template command. We’ll also cover how to pair these commands with an AI coding assistant like Claude Code or Codex so the assistant does the Admin API legwork for you.

TL;DR

# Authenticate once (opens browser for OAuth)
shopify store auth --store your-store.myshopify.com --scopes <comma-separated-scopes>

# Run a query
shopify store execute --store your-store.myshopify.com --query "query { shop { name } }"

# Run a mutation (requires opt-in flag)
shopify store execute --store your-store.myshopify.com --query "mutation { ... }" --allow-mutations

Requirements

• Shopify CLI 3.93.0 or higher. Check with shopify version. Upgrade with npm install -g @shopify/cli@latest (or brew upgrade shopify-cli).
• Be logged into a Shopify account that has access to the store (owner or staff with appropriate permissions).

Gotcha #1: “Command not found”

On older CLI versions you’ll see something like:

Command `store auth` not found. Did you mean `config autocorrect status`?

The autocorrect suggestion is misleading — the command simply doesn’t exist in versions older than 3.93.0. Upgrade with npm install -g @shopify/cli@latest and you’re sorted.

Step 1: Authenticate

store auth uses Shopify’s built-in connector app under the hood, so you don’t need to create your own custom app. You just enumerate the Admin API scopes you want, comma-separated.

There’s no wildcard “all scopes” option — list them explicitly. That’s actually a good thing security-wise (least-privilege), but it makes the first run a little verbose.

Finding your --store value

The --store flag wants your store’s myshopify.com URL (e.g. your-store.myshopify.com) — not your custom domain. Even if customers see example.com, the underlying store URL is always <handle>.myshopify.com, and that’s what the CLI needs.

Two quick ways to find it:

• From the admin URL. When you’re logged in, the address bar reads https://admin.shopify.com/store/<handle>. Your store URL is <handle>.myshopify.com.
• From Settings → Domains. The myshopify.com URL is listed alongside any custom domains — it’s the one that never changes, even if you rebrand the customer-facing domain.

You can pass it with or without the https:// prefix — the CLI accepts both. If you mistype it, you’ll get a clear OAuth error rather than a silent failure, so don’t stress about getting it perfect first time.

Copy-paste template

Here’s a broad set of read+write scopes that covers most general-purpose work, with Plus-only and Payments scopes already excluded (those tend to throw OAuth errors — see gotcha #2):

shopify store auth --store your-store.myshopify.com --scopes read_products,write_products,read_product_listings,read_orders,write_orders,read_draft_orders,write_draft_orders,read_customers,write_customers,read_inventory,write_inventory,read_locations,read_fulfillments,write_fulfillments,read_assigned_fulfillment_orders,write_assigned_fulfillment_orders,read_merchant_managed_fulfillment_orders,write_merchant_managed_fulfillment_orders,read_third_party_fulfillment_orders,write_third_party_fulfillment_orders,read_shipping,write_shipping,read_price_rules,write_price_rules,read_discounts,write_discounts,read_marketing_events,write_marketing_events,read_content,write_content,read_themes,write_themes,read_script_tags,write_script_tags,read_reports,write_reports,read_resource_feedbacks,write_resource_feedbacks,read_checkouts,write_checkouts,read_translations,write_translations,read_locales,write_locales,read_publications,write_publications,read_metaobjects,write_metaobjects,read_files,write_files,read_online_store_pages,write_online_store_pages

Trim the list to what you actually need — apps should request the minimum scope set required to do the job. The full scopes reference has the complete list with descriptions.

The command opens a browser for OAuth consent. Approve, and the token is cached locally for future commands against that store.

Gotcha #2: missing_shopify_permission errors

Don’t worry if you see this one — it’s a quick fix. When the OAuth screen errors with something like:

Oauth error missing_shopify_permission: read_shopify_payments_dispute_evidences

…that scope requires something the store doesn’t have — commonly Shopify Payments being active, or a special Shopify-side approval. The built-in CLI connector app can’t request gated scopes, so OAuth fails on the first one it can’t grant.

Fix: remove the offending scope from --scopes and re-run. The error tells you exactly which scope tripped, so just peel them off until OAuth succeeds. Usually only takes one or two tries.

Common culprits:

• read_shopify_payments_* — needs Shopify Payments enabled on the store
• read_all_orders — needs Shopify approval (this is what unlocks orders older than 60 days)
• read_gift_cards / write_gift_cards — needs approval
• read_users / write_users — Shopify Plus only

If you genuinely need any of these, the CLI connector route won’t get you there — you’ll want to create a real custom app in the admin instead (Settings → Apps and sales channels → Develop apps). For everything else, the CLI is the faster path.

Step 2: Run queries with store execute

Once authenticated, store execute is your GraphQL Admin API runner:

shopify store execute --store your-store.myshopify.com --query "query { shop { name primaryDomain { url } } }"

Useful flags:

• --json — machine-parseable output
• --output-file results.json — write straight to disk
• --query-file ./my-query.graphql — load query from a file
• --variable-file ./vars.json — pass variables from a file
• --version 2025-07 — pin to a specific Admin API version

Mutations require --allow-mutations

By default, mutations are blocked — a really nice safety net so you don’t accidentally write to a live store while exploring:

shopify store execute --store your-store.myshopify.com --query "mutation { productUpdate(...) { product { id } } }"
# blocked

Add the flag to let it through:

shopify store execute --store your-store.myshopify.com --query "mutation { productUpdate(...) { product { id } } }" --allow-mutations

Re-authenticating

If the token expires or you need different scopes later, just re-run store auth with the updated --scopes list. As of CLI 3.93.1, previously-granted scopes are preserved across re-auths, so you can add scopes incrementally without losing what you already had — really handy.

To switch accounts entirely, run shopify auth logout first.

Pairing with Claude Code or Codex

Here’s where this really starts to feel like a superpower. Once you’ve authenticated a store once, an AI coding assistant — Claude Code, Codex, whichever you prefer — can drive the whole store execute command itself. You describe what you want in plain English, and the assistant writes the GraphQL, runs it, parses the JSON, and hands you the answer. No browser tabs, no Postman, no copy-paste between an app and the admin.

Some examples of what becomes a 30-second job rather than a 30-minute one:

• “Find every product tagged sale that has zero inventory across all locations.”
• “Pull all orders from the last 7 days, group them by sales channel, and total the revenue.”
• “List the 50 customers who’ve spent the most but haven’t ordered in 90 days.”
• “Update the SEO title on these 12 product handles to match the new template.”
• “Show me every collection that doesn’t have a meta description.”

A few things make this combination unusually fast:

• No app setup overhead. No custom app, no API key copy-paste, no .env file. The CLI already has the token cached, so the assistant just shells out and runs the query.
• The assistant already knows the Admin API. It writes valid queries and mutations against the version you pinned with --version, usually on the first try. If it doesn’t, the error message from the API is enough for it to self-correct.
• Mutations stay gated. --allow-mutations is opt-in per command, so you can let the assistant explore freely with read-only queries and only flip the flag when you’ve reviewed the mutation it wants to run. That gate is genuinely useful for agentic workflows where the assistant might otherwise run something destructive.
• The iteration loop is tight. Run query → see JSON → tweak → re-run. The assistant does all four in seconds, where the same loop in Postman is minutes per cycle. And because the output is JSON, the assistant can chain queries — using the IDs from one result to drive the next.
• It’s terminal-native. The assistant sees the full output, including any errors. No screenshots, no copy-paste between tools, no “could you paste what you got back?”.

In practice, once auth is set up, you can sit and describe what you want to know about a store — sales by channel for last month, products missing alt text, customers who’ve never been emailed, draft orders older than a week — and the assistant produces, runs, and explains the result. It’s the difference between “GraphQL is something I can do” and “GraphQL is something I do conversationally.”

It works just as well for bulk write work: tagging products, updating metafields, adjusting prices, fixing typos across collections. Describe the change, let the assistant draft and run the mutation behind --allow-mutations, sanity-check the result. What used to be a one-off script or a CSV round-trip becomes a couple of turns of conversation.

One habit worth keeping: leave --allow-mutations off by default and only enable it when you’ve reviewed the exact mutation. The flag is a safety net specifically for this kind of agentic workflow — don’t bypass it by aliasing it on.

When to use this vs. other options

• store auth + store execute — one-off queries, debugging, quick data pulls, terminal-native GraphQL scripting, and anything you want an AI assistant to drive.
• Custom app in the admin (Settings → Apps and sales channels → Develop apps) — needed if you require gated scopes the connector can’t request, or for a long-lived integration with its own access token.
• shopify theme dev — if you’re only doing theme work, don’t bother with any of this. Theme commands handle auth implicitly.

That’s it

Two commands, one OAuth flow, and you’ve got a terminal-native way to poke at any Shopify store you have access to. Pair it with Claude or Codex and you’ve got something genuinely better than Postman — a conversational interface to the Admin API. Have a play with a read-only query first, then start handing the assistant bigger tasks. You’ll be surprised how quickly it becomes your default way of working with Shopify data.

Further reading

• Shopify CLI — Store commands reference (the canonical docs for store auth and store execute)
• Shopify CLI overview
• GraphQL Admin API reference — every query and mutation you can fire at store execute
• Access scopes reference — the full list of scopes and what each one unlocks
• Claude Code documentation
• OpenAI Codex CLI on GitHub